Control: 5.1.6 Ensure that Service Account Tokens are only mounted where necessary
Description
Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server.
Mounting service account tokens inside pods can provide an avenue for privilege escalation attacks where an attacker is able to compromise a single pod in the cluster.
Avoiding mounting these tokens removes this attack avenue.
Remediation
Modify the definition of pods and service accounts which do not need to mount service account tokens to disable it.
References
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.cis_kube_v120_v100_5_1_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.cis_kube_v120_v100_5_1_6 --share
SQL
This control uses a named query:
pod_service_account_token_disabled